Post Archive

April 12, 2018 . I’ve written rather extensively about the use of redirectors and how they can strengthen your red team assessments. Since my first post on the topic, the question I’ve received most frequently is about how to do the same thing with HTTPS traffic. In this post, I will detail different HTTPS redirection methods and when to use each. I’d like to give a shoutout to Joe Vest (@joevest) for building HTTPS command and control (C2) redirection into his cs2modrewrite tool and figuring out some of the required Apache configurations for such redirection. Dumb Pipe... [more]

January 23, 2018 . Penetration tests and red team assessments often require operators to work multiple potential attack paths or perform multiple checks concurrently. Cultivating these myriad paths is what often leads operators to success in achieving their objectives. However, this execution method can also lead to an operator making a simple mistake, like running a “known bad” action for which there is a trivial detection. I can say I personally have been in the heat of an attack path and accidentally run PowerShell in an environment with very heavy PowerShell monitoring. It happens. My coworker, Lee Christensen (@tifkin_), and I were recently... [more]

December 5, 2017 . Covert red team attack infrastructure is a topic I’ve covered many times before, but always only in part. I’ve wanted to write about the thought process behind the design process of attack infrastructure for a while. In October, I had the privilege of covering that very topic at ArcticCon in Minneapolis, a con by red teamers for red teamers. My talk, Building a Better Moat: Designing Effective Covert Red Team Attack Infrastructure, covered the what and the why of attack infrastructure, rather than focusing on the how. In this post, I will discuss attack infrastructure design considerations... [more]

October 3, 2017 . In a previous post, we (@Sw4mp_f0x and I) discussed the importance of data parsing skills for penetration testers and detailed the basics of how to get started with it. We covered a few tools, but only scraped the surface of what’s possible with two very powerful tools: awk and sed. As a refresher, AWK is a programming language for pattern scanning and processing. You run AWK commands with the awk tool. sed is a stream editor tool that is primarily used to restructure input by performing pattern substitutions. In this post, we will be covering more advanced uses... [more]

August 30, 2017 . Malleable Command and Control (C2) profiles provide red teamers and penetration testers with a wealth of options to modify how Cobalt Strike both appears on the wire and on the compromised host. Malleable C2 can be used to impersonate actual threat actors or normal web traffic. As with every advancement in offensive tradecraft, blue teams and defensive products are bound to implement static signature-based protections. In my opinion, a defender should use any resources available, including signature-based detections; however, they shouldn’t rely on any one defensive technique. As red teamers, it’s our job to exercise the blue... [more]

August 8, 2017 . This post was co-written by Steve Borosh (@424f424f) and Jeff Dimmock (@bluscreenofjeff). Monitoring attack infrastructure can prove to be as important as our attacking. Quickly hiding from investigating blue teamers can mean the difference between keeping our interactive command and control (C2) sessions and burning our infrastructure. If you’ve read the Red Team Infrastructure Wiki that Steve and I wrote, you know we’re big fans of heavily distributed infrastructure and using redirectors in front of everything. Monitoring becomes increasingly difficult when we have 20+ assets comprising our infrastructure. Luckily for us, this problem was solved a long... [more]

June 13, 2017 . As testers, we sometimes need some good, old-fashioned trial and error to get things working. Phishing is one of the attacks that commonly takes more than one attempt to get payloads and command and control (C2) working properly. This post covers how to help effectively perform payload trial and error by randomly serving payloads from one URL with Apache mod_rewrite. The technique described in this post lends itself more to a penetration test, where email phishing batches may span an entire target company, rather than a red team assessment, where email phishing is highly targeted and payload issues are painstakingly... [more]

May 23, 2017 . The Pass the Ticket (PtT) attack method uses a Kerberos ticket in place of a plaintext password or NTLM hash. Probably the most common uses of PtT are using Golden and Silver Tickets. Gaining access to a host via PtT is fairly straightforward; however, performing it through an SSH tunnel is more complex. At this year’s Pacific Rim CCDC, my fellow Red Teamers and I ran into a situation where we had the target’s krbtgt and machine account NTLM hashes and had unprivileged SSH access to one Linux host on the DMZ with internal network connectivity, but we had... [more]

May 2, 2017 . A few weeks, ago I had the pleasure of participating on the Red Team for Pacific Rim CCDC. This is my third year doing the competition, and I feel like I have more fun each year. This year, I was on the Windows Meta Team and a Red Cell Team with Lee Christensen (@tifkin_) and Andy Robbins (@_wald0). I’ve previously written two posts about the competition, in 2015 and 2016, and don’t want to rehash the same points I’ve already covered. In this post, I will focus on the Windows Meta Team infrastructure design, Cobalt Strike... [more]

April 11, 2017 . In the (belated) spirit of April Fool’s Day, I wanted to slightly diverge from a strictly infosec topic and talk about something that can be used for good (work) or evil (trolling coworkers): Slack bots. Incoming WebHooks Incoming Webhooks allow external applications to post into Slack. The webhook processes HTTP requests sent to a provided URL. The data is stored in a JSON payload and processed by Slack on receipt. Incoming webhooks are a good choice when you want to post data into Slack from an external source that wasn’t requested by a user. Incoming webhooks can currently... [more]

March 1, 2017 . In a recent post, I detailed how to make a Malleable C2 profile for Cobalt Strike. Malleable C2 profiles provide an operator with the ability to shape how defenders will see, and potentially categorize, C2 traffic on the wire. Communication Profiles in Empire provide similar functionality. This increases our chances of evading detection, allows us to emulate specific adversaries, or masquerade as widely-used applications on our target’s network. Empire Communication Profiles With Communication Profiles, we can customize options for Empire’s GET request URIs, user agent, and headers. A basic profile consists of each element, separated by the pipe... [more]

January 24, 2017 . It’s not fun to get caught on an assessment because your target has your toolset signatured. It’s even less fun if that signature is easily bypassed. Cobalt Strike’s Malleable C2 is a method of avoiding that problem when it comes to command and control (C2) traffic. Malleable C2 provides operators with a method to mold Cobalt Strike command and control traffic to their will. For instance, if you determine your target organization allows employees to use Pandora, you could create a profile to make Cobalt Strike’s C2 traffic look like Pandora on the wire. Alternatively, if a client wants... [more]

December 23, 2016 . Apache mod_rewrite provides conditional redirection and obfuscation to a red teamer’s infrastructure. I’ve previously written about mod_rewrite in a few posts. In this post, I will cover a few quick tricks you can use in conjunction with techniques from my earlier posts while phishing or red teaming. Be sure you read the first-time setup instructions for mod_rewrite to configure your server to work properly. Payload Hot-Swapping We’ve all been in a situation where, just after sending out a large phishing batch, we realize that some aspect of the payload doesn’t work in the target environment. Previously, the... [more]

November 29, 2016 . Tester flexibility and the ability to adapt to each environment’s unique controls and technologies is critical on assessments. Achieving an assessment’s objective often requires the use of multiple toolsets. Justin Warner (@sixdub) wrote about the importance of tool diversity in his post Empire &amp; Tool Diversity: Integration is Key. Two toolsets I frequently use are Cobalt Strike and Empire. Sometimes, an assessment requires migrating from one toolset to another for a specific task or, worse, if incident responders block your primary toolset. Currently, the most efficient way to pass sessions from one toolset to another is to use... [more]

October 14, 2016 . In a previous post, @Sw4mp_f0x and I discussed the importance of data parsing skills for penetration testers and detailed the basics of how to get started with it. In that post we covered multiple ways to match text and search for specific strings. The examples we used were pretty straightforward, which is not always true to life. In this post we will cover more advanced pattern matching with regular expressions, giving you even greater control and flexibility over your parsing tools. Regular Expressions A regular expression, often referred to as regex, uses metacharacters, wildcards, and literal characters... [more]

September 7, 2016 . As pentesters and red teamers, we have lots of commands floating around in our head. As much as the 1337 profess to hate GUIs, they sure do make testing a lot easier. Cobalt Strike provides testers a lot of power with an easy-to-use interface. Aggressor Script offers a wealth of extensibility options to expand Cobalt Strike’s built-in functions, but building out a custom GUI is a bit more difficult. Intro Cobalt Strike’s Aggressor Script is built upon Raphael Mudge’s Sleep language. As Raphael says, “Sleep is a Java-based scripting language heavily inspired by Perl,” and... [more]

July 26, 2016 . Parsing data is a fundamental ability that anyone serious about information security should consider putting time and effort into understanding. It can mean the difference between spamming Ctrl+F in a text editor and pulling out exactly what you need with a Bash one-liner that took a couple of minutes to create and modify. In the long run, the initial investment pays dividends for the rest of your infosec career. In this post, and those that follow we will walk you through the tools and techniques we have used to find what we need when sifting through large amounts of data.... [more]

June 28, 2016 . Imagine you are performing a Red Team engagement. So far it’s been very hard, fighting tooth and nail to get each step closer to totally owning their network. You finally get internal network access and things are stable. Everything looks good on your end, but on the Blue side of things IT is taking notice of traffic flowing to an unknown domain. A curious IT worker opens their browser and navigates to the site. 404 error. Suspicion++. Five minutes later your Beacons become unresponsive. You’re blocked. Now you have to spin up some new infrastructure and get in again. I... [more]

May 24, 2016 . Six weeks ago I had the opportunity to Red Team for Pacific Rim CCDC. I love doing this competition because it gives me a chance to do things one would never be allowed to do on a real network and it forces me think about a different set of problems than a pentest or red team engagement. In this post I will discuss my thoughts and experiences before, during, and after this year’s competition. Preparation Last year I made a few goals for myself, mostly centered around preparation. About a month before the competition some friends and... [more]

April 19, 2016 . On more than a few occasions phishing recipients have forwarded my phish to IT. The first indication is usually when I’m watching the access logs like a hawk and see multiple GET requests with a user’s token, yet haven’t received any credentials or beacon sessions. Sometimes it turns out the user is being blocked by a technical control after the initial request, but other times we are told that the user did what their security training suggested and forwarded the email. Yay. I don’t like the thought of being one email forward away from IR having free reign to peruse... [more]

April 12, 2016 . Any phishing campaign involving an active incident response element usually requires some evasive steps to prolong its longevity. This often includes being stealthier, performing anti-forensics actions, or avoiding certain tradecraft altogether. Phishing is no different, and is often the most ‘vulnerable’ part of a campaign from an active IR perspective. Using a distributed infrastructure built with independent components helps reduce the risk of the overall architecture being blocked, but individual phishing campaigns are likely to be caught and blocked throughout the duration. The longer we can stretch out the usability of each of those campaigns, the better our chances of... [more]

April 5, 2016 . At times you may find yourself testing an environment comprised of a fair mix of operating systems. Maybe the marketing department is half Windows and half Mac OS X. In these cases, it may not be feasible to determine users’ operating systems via a preliminary phish. OS detection is nothing new. The goal of this method is to allow us to perform detection and proxying in one place while looking as legitimate as possible to the phish victim. No URL changing, no excessive page reloads and refreshes. This detection method is similar to my previous post about redirecting mobile... [more]

March 29, 2016 . There have been times when a curious phish recipient or a zealous help desk staff has loaded the phishing link in their browser and decided to take a peek at a higher directory or the root domain. Of course, most times there isn’t much else site to see. In those cases, the chances of being reported to IR went up significantly, sometimes leading to a phishing campaign being blocked. This is where invalid URI redirection comes in handy. We can whitelist resources the Apache server will proxy for the targets and redirect any other requests to the target’s real domain... [more]

March 22, 2016 . Often times a corporate internal network is heavily locked down. Workstations are restricted with limited internet access. These controls are often less strict on mobile devices (or sometimes not present), especially with BYOD being implemented more and more. While phishing, Apache access logs often show mobile devices accessing the malicious page, yet no sessions are established. I investigated a number of ways to solve the problem and ultimately landed on using Apache’s Rewrite module. The more I learned about mod_rewrite’s abilities, the more benefit I saw in using Apache redirectors for phishing. This post is the first in a series... [more]

February 19, 2016 . SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes to a target host. This post assumes you already understand the basics of SMB Relay (if not I highly suggest you check out Mark Baggett’s SANS post SMB Relay Demystified and NTLMv2 Pwnage with Python). SMB Relay has hands down been the most frequent foothold I’ve found on internal network pentests; however, sometimes the users in my broadcast domain don’t seem to have Local Administrator rights on any of the targeted hosts or AV is making the process take a lot longer.... [more]

May 13, 2015 . I’ve been using TrustedSec’s Unicorn a LOT over the past few months. In fact, it’s become my go-to payload to pop a box. While it’s awesome to be able to paste a command and get a shell, sometimes an EXE is required. For those cases, I’ve made a script to make the whole process automated: powershell_exe.py tl;dr powershell_exe.py uses winrar’s commandline options under wine to make a self-extracting archive. Source Setup instructions cd /opt git clone https://github.com/trustedsec/unicorn.git cd ~/Desktop wget http://www.rarlab.com/rar/wrar511.exe wine wrar511.exe Now just go through the... [more]

April 15, 2015 . I had the opportunity to take part in the Pacific Rim CCDC this past weekend and it was a BLAST! It was my first CCDC, so I really didn’t know what to expect. I did know that the last thing I would want to be doing is installing and configuring tools during test time. Kali I err’d on the side of installing tools I may not use rather than not installing something I would need. I’ve got a goto script I use for my setting up a Kali VM and customizing. It installs a ton of tools and scripts... [more]

June 26, 2014 . Persistence is a great thing to have on a pentest, especially if testing from the outside. Persistence also seems to be a word that makes clients’ hairs on the back of their necks stand up. Backdoors are a scary thing if you’re in charge of keeping a network secure. When it comes to installing persistence, there are quite a few options available such as Metasploit’s persistence module or scheduleme.rb. These modules leave a permanent, like one would think, payload and schedule for phoning home to the tester’s box. But what about when this is out of scope? Here’s a... [more]

April 17, 2014 . Veil is awesome - it makes payload generation easy and supports a wide variety of payloads with new ones being dropped pretty often. Getting caught by AV during a test is not awesome. Being caught because the target’s AV had a signature hit on you is even worse. Because YOU (the tester) messed up. You didn’t take the extra few minutes to regenerate a payload. I’ve been there and I’m sure you’ve been there. It sucks and you feel silly. The solution? Use Veil’s command line options and cron to regenerate payloads every 30 minutes. Server Build This is the... [more]

February 11, 2014 . There are a number of commands that tend to get run on every session on a target I get in Metasploit. Using resource files, these commands can be automated to dump as much information as possible, as quickly as possible. This can be combined with an MSFConsole autostart script to automate the starting of handlers and pre-fill options for post modules that don’t need to be run on every session. First we make a new file for the autorunscript to be run on each new session: nano /infogather and paste the following in the file: <pre... [more]